Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsPSA: Patch NOW. CVE-2020-0601 is a doozy.
Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

#262311 15-Jan-2020 22:42
Send private message

It's bad.. to put it in perspective, it's so bad that when the NSA discovered it they actually reported it to Microsoft rather than use it..

 

MS Article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

 

NSA Writeup: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

 

 




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Create new topic
Andib
1395 posts

Uber Geek
+1 received by user: 974

ID Verified
Trusted

  #2392740 16-Jan-2020 08:04
Send private message

It's bad but not that bad IMO, Microsoft themselves have only marked it as important not critical.

 

it's so bad that when the NSA discovered it they actually reported it to Microsoft rather than use it..

 

The more likely situation is they've handed over the exploit (which they've likely been using for a while) as another group has also discovered it.




<# 
       .DISCLAIMER
       Anything I post is my own and not the views of my past/present/future employer.
#>



nzkc
1634 posts

Uber Geek
+1 received by user: 1041


  #2392743 16-Jan-2020 08:08
Send private message

Andib:

 

The more likely situation is they've handed over the exploit (which they've likely been using for a while) as another group has also discovered it.

 

 

It appears we are cynics together. This was immediately my thought too.

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

  #2398785 16-Jan-2020 11:13
Send private message

Andib:

 

It's bad but not that bad IMO, Microsoft themselves have only marked it as important not critical.

 

it's so bad that when the NSA discovered it they actually reported it to Microsoft rather than use it..

 

The more likely situation is they've handed over the exploit (which they've likely been using for a while) as another group has also discovered it.

 

 

Microsoft seem to be downplaying it, but other people who's opinion I value (e.g. Tavis Ormandy) think it's pretty bad.

 

As of 3 hours ago one security researcher has successfully made Chrome/Edge  (which both use the affected windows library) play Never Gonna Give You Up on youtube while it think's it's connected to nsa.gov and github.com respectively.

 

A couple of others have demonstrated code signed versions of tampered executables that validate.

 

 

 

 




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright